Routine network penetration testing may shed light on exposures to external threats, but it can also put damning evidence in the hands of competitors and plaintiffs who sue your organization.
Attorneys caution that pen tests generate lengthy reports of system inaccuracies and vulnerabilities that could be used in court against a company.

"If the company fails to adequately correct all of the problems [pointed out by a pen test]," says Forrest Morgan, a principal at the law firm Morgan and Cunningham, "this report will be open to discovery by plaintiffs' counsel." Prosecutors also many use the information to "demonstrate the company failed to exercise due care in protecting information if there is a subsequent loss of critical information through unauthorized access to the system," he added.

Morgan and partner Bryan Cunningham suggest that enterprises have their attorneys retain the penetration testers, which in turn places the process under the umbrella of attorney-client privilege.

"When the pen test results are provided to the attorneys to assist in the overall evaluation process, the results may well be protected from discovery and public disclosure," Morgan said.

Outside of such a relationship, Morgan calls a penetration test a potential disaster.